[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#11436: Please disable test cp/parent-perm-race on hurd-i386
|
From: |
Ludovic Courtès |
|
Subject: |
Re: bug#11436: Please disable test cp/parent-perm-race on hurd-i386 |
|
Date: |
Wed, 09 May 2012 01:06:34 +0200 |
|
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.93 (gnu/linux) |
Hi,
Samuel Thibault <samuel.thibault@gnu.org> skribis:
> Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
>> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
>> O_NOFOLLOW
>> If path names a symbolic link, fail and set errno to [ELOOP].
>>
>> I wouldn't object to yet another O_* flag that can be used to disable
>> translators,
>
> The problem is that we can't expect people to know about that flag, and
> use it where security is needed.
>
>> but don't see how breaking POSIX semantics of a FIFO just because
>> O_NOFOLLOW was used is warranted.
>
> I don't mean it's warranted. I mean that it's expected that using
> O_NOFOLLOW will disable translators. We can however perhaps refine the
> behavior to at least make standard fifos work.
Yes. In glibc, ‘__hurd_file_name_lookup_retry’ does this:
--8<---------------cut here---------------start------------->8---
if (flags & O_NOFOLLOW)
{
/* In Linux, O_NOFOLLOW means to reject symlinks. If we
did an O_NOLINK lookup above and io_stat here to check
for S_IFLNK, a translator like firmlink could easily
spoof this check by not showing S_IFLNK, but in fact
redirecting the lookup to some other name
(i.e. opening the very same holes a symlink would).
Instead we do an O_NOTRANS lookup above, and stat the
underlying node: if it has a translator set, and its
owner is not root (st_uid 0) then we reject it.
Since the motivation for this feature is security, and
that security presumes we trust the containing
directory, this check approximates the security of
refusing symlinks while accepting mount points.
Note that we actually permit something Linux doesn't:
we follow root-owned symlinks; if that is deemed
undesireable, we can add a final check for that
one exception to our general translator-based rule. */
struct stat64 st;
err = __io_stat (*result, &st);
if (!err
&& (st.st_mode & (S_IPTRANS|S_IATRANS)))
{
if (st.st_uid != 0)
err = ENOENT;
else if (st.st_mode & S_IPTRANS)
{
char buf[1024];
char *trans = buf;
size_t translen = sizeof buf;
err = __file_get_translator (*result,
&trans, &translen);
if (!err
&& translen > sizeof _HURD_SYMLINK
&& !memcmp (trans,
_HURD_SYMLINK, sizeof _HURD_SYMLINK))
err = ENOENT;
}
}
}
--8<---------------cut here---------------end--------------->8---
What about looking up without O_NOTRANS when _HURD_FIFO is found here,
regardless of whether the node is root-owned?
The problem with these hacks is that in a chroot /hurd/{symlink,fifo}
could be anything…
Thanks,
Ludo’.